-
Notifications
You must be signed in to change notification settings - Fork 565
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[AUTO-CHERRYPICK] Fix CVE-2025-22134 in vim for 2.0 - branch main (#1…
…1973) Co-authored-by: bhagyapathak <bhagyapathak@users.noreply.github.com>
- Loading branch information
1 parent
44055bc
commit f7c0443
Showing
2 changed files
with
124 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,119 @@ | ||
| From c9a1e257f1630a0866447e53a564f7ff96a80ead Sat Jan 11 00:00:00 2025 | ||
| From: bhapathak <bhapathak@microsoft.com> | ||
| Date: Wed, 15 Jan 2025 14:35:21 +0000 | ||
| Subject: [PATCH] Fix for CVE-2025-22134 - heap-buffer-overflow with visual mode | ||
|
|
||
| --- | ||
| diff --git a/src/arglist.c b/src/arglist.c | ||
| index 8825c8e..4eec079 100644 | ||
| --- a/src/arglist.c | ||
| +++ b/src/arglist.c | ||
| @@ -1258,6 +1258,10 @@ do_arg_all( | ||
|
|
||
| tabpage_T *new_lu_tp = curtab; | ||
|
|
||
| + // Stop Visual mode, the cursor and "VIsual" may very well be invalid after | ||
| + // switching to another buffer. | ||
| + reset_VIsual_and_resel(); | ||
| + | ||
| // Try closing all windows that are not in the argument list. | ||
| // Also close windows that are not full width; | ||
| // When 'hidden' or "forceit" set the buffer becomes hidden. | ||
| diff --git a/src/misc1.c b/src/misc1.c | ||
| index 0898efb..bb87e22 100644 | ||
| --- a/src/misc1.c | ||
| +++ b/src/misc1.c | ||
| @@ -543,11 +543,15 @@ plines_m_win(win_T *wp, linenr_T first, linenr_T last, int max) | ||
| gchar_pos(pos_T *pos) | ||
| { | ||
| char_u *ptr; | ||
| - | ||
| + int ptrlen; | ||
| + | ||
| // When searching columns is sometimes put at the end of a line. | ||
| if (pos->col == MAXCOL) | ||
| return NUL; | ||
| + ptrlen = ml_get_len(pos->lnum); | ||
| ptr = ml_get_pos(pos); | ||
| + if (pos->col > ptrlen) | ||
| + return NUL; | ||
| if (has_mbyte) | ||
| return (*mb_ptr2char)(ptr); | ||
| return (int)*ptr; | ||
| diff --git a/src/ops.c b/src/ops.c | ||
| index eb8f64c..a1bd5b3 100644 | ||
| --- a/src/ops.c | ||
| +++ b/src/ops.c | ||
| @@ -2450,6 +2450,7 @@ charwise_block_prep( | ||
| colnr_T startcol = 0, endcol = MAXCOL; | ||
| colnr_T cs, ce; | ||
| char_u *p; | ||
| + int plen = ml_get_len(lnum); | ||
|
|
||
| p = ml_get(lnum); | ||
| bdp->startspaces = 0; | ||
| @@ -2510,7 +2511,7 @@ charwise_block_prep( | ||
| else | ||
| bdp->textlen = endcol - startcol + inclusive; | ||
| bdp->textcol = startcol; | ||
| - bdp->textstart = p + startcol; | ||
| + bdp->textstart = startcol <= plen ? p + startcol : p; | ||
| } | ||
|
|
||
| /* | ||
| diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim | ||
| index 3750ebf..9cfac32 100644 | ||
| --- a/src/testdir/test_visual.vim | ||
| +++ b/src/testdir/test_visual.vim | ||
| @@ -470,7 +470,7 @@ func Test_Visual_Block() | ||
| \ "\t{", | ||
| \ "\t}"], getline(1, '$')) | ||
|
|
||
| - close! | ||
| + bw! | ||
| endfunc | ||
|
|
||
| " Test for 'p'ut in visual block mode | ||
| @@ -1080,7 +1080,7 @@ func Test_star_register() | ||
|
|
||
| delmarks < > | ||
| call assert_fails('*yank', 'E20:') | ||
| - close! | ||
| + bw! | ||
| endfunc | ||
|
|
||
| " Test for changing text in visual mode with 'exclusive' selection | ||
| @@ -1096,7 +1096,7 @@ func Test_exclusive_selection() | ||
| call assert_equal('l one', getline(1)) | ||
| set virtualedit& | ||
| set selection& | ||
| - close! | ||
| + bw! | ||
| endfunc | ||
|
|
||
| " Test for starting linewise visual with a count. | ||
| @@ -1165,6 +1165,24 @@ func Test_visual_put_in_block() | ||
| bwipe! | ||
| endfunc | ||
|
|
||
| +" the following caused a Heap-Overflow, because Vim was accessing outside of a | ||
| +" line end | ||
| +func Test_visual_pos_buffer_heap_overflow() | ||
| + set virtualedit=all | ||
| + args Xa Xb | ||
| + all | ||
| + call setline(1, ['', '', '']) | ||
| + call cursor(3, 1) | ||
| + wincmd w | ||
| + call setline(1, 'foobar') | ||
| + normal! $lv0 | ||
| + all | ||
| + call setreg('"', 'baz') | ||
| + normal! [P | ||
| + set virtualedit= | ||
| + bw! Xa Xb | ||
| +endfunc | ||
| + | ||
| func Test_visual_put_in_block_using_zp() | ||
| new | ||
| " paste using zP |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters